mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-25 19:04:57 -05:00
bbfdcc36c8
Add an option to enable/disable inline-signing inside the
dnssec-policy clause. The existing inline-signing option that is
set in the zone clause takes priority, but if it is omitted, then the
value that is set in dnssec-policy is taken.
The built-in policies use inline-signing.
This means that if you want to use the default policy without
inline-signing you either have to set it explicitly in the zone
clause:
zone "example" {
...
dnssec-policy default;
inline-signing no;
};
Or create a new policy, only overriding the inline-signing option:
dnssec-policy "default-dynamic" {
inline-signing no;
};
zone "example" {
...
dnssec-policy default-dynamic;
};
This also means that if you are going insecure with a dynamic zone,
the built-in "insecure" policy needs to be accompanied with
"inline-signing no;".
41 lines
938 B
Text
41 lines
938 B
Text
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
dnssec-policy "default" {
|
|
// Keys
|
|
keys {
|
|
csk key-directory lifetime unlimited algorithm 13;
|
|
};
|
|
|
|
// Key timings
|
|
cdnskey yes;
|
|
cds-digest-types { 2; };
|
|
dnskey-ttl 3600;
|
|
publish-safety 1h;
|
|
retire-safety 1h;
|
|
purge-keys P90D;
|
|
|
|
// Signature timings
|
|
signatures-refresh 5d;
|
|
signatures-validity 14d;
|
|
signatures-validity-dnskey 14d;
|
|
|
|
// Zone parameters
|
|
inline-signing yes;
|
|
max-zone-ttl 86400;
|
|
zone-propagation-delay 300;
|
|
|
|
// Parent parameters
|
|
parent-ds-ttl 86400;
|
|
parent-propagation-delay 1h;
|
|
};
|